CVE-2026-44971

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an...

CVE-2026-44971

GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an...

EUVD-2025-203462

Weblate has a Server-Side Request Forgery issue...

LibreNMS: Cross-Site Scripting in ShowConfigController

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the rancidrepourl configuration value. When a user navigates to a device's configuration page, this unsanitised...

Server-Side Request Forgery

Weblate is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of repository URLs during project backup import, where Component.objects.bulkcreate bypasses Django fullclean validation and allows attacker-controlled repository URLs to be written into...

SUSE CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

CVE-2026-41654 Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

Weblate 输入验证错误漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17.1 had a vulnerability related to input validation errors. This vulnerability stemmed from the lack of validation of the repository URL in the component JSON during...

PT-2026-36816

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.17.1 Description An authenticated user with project.add permission can import a specially crafted project backup ZIP file. If the components/.json file within the ZIP contains a repo URL pointing to a private addres...

MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration 注入漏洞

MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration is an integrated model control plane server developed by DVladimirov, which integrates OpenAI, Git, a file system, and Prometheus. Versions of MCP Server with OpenAI, Git, Filesystem, and Prometheus Integration prior to 0.1.0 hav...

Arbitrary Argument Injection

Overview skilleton is a Skills skeleton: deterministic AI skill dependency manager Affected versions of this package are vulnerable to Arbitrary Argument Injection via improper handling of repository and path input in the normalizeRepoUrl function. An attacker can cause unsafe or inefficient...

JetBrains TeamCity < 2025.11.2 Multiple Vulnerabilities

The version of JetBrains TeamCity installed on the remote host is prior to 2025.11.2. It is, therefore, affected by Improper repository URL validation could lead to local paths disclosure. Note that Nessus has not tested for these issues but has instead relied only on the application's...

CVE-2025-66407 Weblate has Server-Side Request Forgery vulnerability

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...

EUVD-2025-202697

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...

CVE-2025-67739

JetBrains TeamCity is affected if running a version prior to 2025.11.2. The CVE-2025-67739 issue is caused by improper validation of repository URLs, which could allow disclosure of local file paths. The Nessus and vendor entries corroborate that older TeamCity builds are vulnerable to local path...

PT-2025-50625

In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure...

HSEC-2023-0009 git-annex command injection via malicious SSH hostname

git-annex command injection via malicious SSH hostname git-annex was vulnerable to the same class of security hole as git's CVE-2017-1000117. In several cases, git-annex parses a repository URL, and uses it to generate a ssh command, with the hostname to ssh to coming from the URL. If the hostnam...

EUVD-2017-4373

Malware in sbrugna...

EUVD-2016-8643

Malware in sbrugna...